Skip to main content

Modernizing Drupal’s Username Security Policy in the AI Era

Nov 26, 2024

Data security has become more critical than ever in today’s rapidly advancing digital landscape. Organizations must adapt adequate security and privacy standards to protect their users, data, and reputation. This is especially true for platforms like Drupal, which powers countless public facing websites across various industries. Cybersecurity and privacy regulations have been introduced and revisited to coordinate our response to these challenges sooner than the age of AI would have come.

The evolution of Drupal as an API-first platform

Since the release of Drupal 8, the platform has transformed from a traditional CMS to an API-first framework, meeting the demands of modern web development. JSON:API module's integration into Drupal 8.7.0 was a milestone that made it possible to access and interact with content in Drupal through standardized APIs. This made Drupal an ideal choice for decoupled and hybrid applications, combining it with modern frontend JavaScript frameworks, becoming a backend for Internet of Things (IoT), and beyond.

This API-first approach meets the needs of modern applications but also opens up new challenges in security and data privacy, especially given the rise of artificial intelligence. As more systems connect through APIs, they become potential entry points for malicious activity, underlining the importance of robust security measures.

Drupal's pioneering role in security

Drupal has consistently led the way in security within the open-source CMS landscape, thanks to its dedicated security team and community-driven development model. Security practices in Drupal are guided by well-defined policies and security vulnerabilities are addressed in a controlled manner - making Drupal a trusted choice for enterprises, governments, and other high-stakes environments. Yet, the shift to API-first and headless implementations brings new considerations for data privacy and security practices.

When JSON:API module is enabled with default configuration and no additional security hardening, it creates a standard, public-facing interface that exposes all registered users’ usernames on a Drupal site to visitors, there was no such interface before JSON:API module got merged to Drupal. This change raised privacy concerns and triggered an ongoing community discussion about username exposure by default. Publicly available usernames, while beneficial in some contexts (e.g. community sites or public leaderboards), can also pose security risks, including vulnerability to brute-force attacks, credential stuffing, and social engineering tactics. These threats, while always present, are increasingly sophisticated in the AI era, necessitating a more nuanced approach to username visibility.

Diverse security requirements in a complex landscape

Drupal serves a diverse user base with varying security needs - from public community platforms to developer portals like we build for a wide range of customers from various industries. Our customers are subject to the Payment Services Directive (PSD2), Digital Operational Resilience Act (DORA), Network and Information Security (NIS2) and the General Data Protection Regulation (GDPR) requirements, just to name a few. Given these requirements, the default exposure of usernames could contradict privacy policies, and many organizations prefer more granular control over what data is made publicly available.

Our contribution to username privacy in Drupal

Pronovix developed solutions to address these challenges on the developer portals we build and support for our clients, where they have been successfully in use for some time. Today, we are excited to open-source two of these components to provide developers, site builders, and individuals with fine-grained control over username visibility:

  1. View Usernames: This module introduces a configurable API for implementing custom rules, or "deciders," that manage username visibility. It also changes Drupal’s default policy, so only users with “administer users” or “view usernames” permissions can view other users' usernames.
  2. View Usernames Node Author: This module allows content authors’ usernames to be visible only to those with access to at least one of their authored nodes, balancing community visibility with security needs.

At Pronovix, we view these contributions as an initial step toward integrating a comprehensive solution for a more sophisticated and granular access control over usernames within Drupal core. We are committed to collaborating with the Drupal community to implement a stable approach that enhances username privacy while preserving Drupal’s flexibility. As AI and cybersecurity continue to evolve, we believe that adaptable data privacy measures will become an essential feature for secure, future-proof platforms like Drupal.

Stay tuned for a follow-up post where we’ll dive into the implementation details of these modules and how they can be customized to suit various site requirements.

laptop with API in large letters over the keyboard

Are you interested in our solution and want to discuss how we can help? Contact us, and we can talk about your specific case.

 

 

 

All Pronovix publications are the fruit of a team effort, enabled by the research and collective knowledge of the entire Pronovix team. Our ideas and experiences are greatly shaped by our clients and the communities we participate in.

Dezső is the Chief Technology Officer at Pronovix. He wanted to have a computer from a very young age — not for playing games, but to do programming and other cool stuff. He started learning web programming at high school where he met his mentor László Csécsy (boobaa) who introduced him to Drupal. He earned a BSc degree in Bachelor of Business Information Technology and later an MSc degree in Software Engineering at the University of Szeged in Hungary. Thanks to his enthusiasm for computers and programming he is always ready to improve his skills, and can quickly learn new languages and technologies.

Ákos had started his career as a Drupal developer, and with his experience in Linux server management, he subsequently led the infrastructure and architecture planning of web portal projects as a technical project manager. Having acquired degrees in common law, English legal translation and EU data protection (GDPR) as a consultant, he has been piloting Pronovix’s Legal Team and contracting. As a Chief Information Security Officer, he is leading Pronovix’s information security and data privacy efforts.

Newsletter

Articles on devportals, DX and API docs, event recaps, webinars, and more. Sign up to be up to date with the latest trends and best practices.

 

Subscribe